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DETAILED ACTION 

1. This is in response to the amendment filed on 14 August 2006. 

2. Claims 10, 1 1, 14-16 and 33-52 are pending in the application. 

3. Claims 10, 1 1, 14-16 and 33-52 have been rejected. 

4. Claims 1-9, 12, 13 and 17-32 have been cancelled. 

Response to Arguments 

5. Applicant's arguments with respect to claims 10, 11, 14-16 and 33-52 have been considered 
but are moot in view of the new ground(s) of rejection. 

Claim Rejections - 35 USC § 102 
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the 
basis for the rejections under this section made in this Office action: 
A person shall be entitled to a patent unless - 

(b) the invention was patented or described in a printed publication in this or a foreign country or in public use or on 
sale in this country, more than one year prior to the date of application for patent in the United States. 

6. Claims 10, 11, 33-41 and 45-48 are rejected under 35 U.S.C. 102(b) as being anticipated 
by Montague et al U.S. Patent No. 5,761,669. 

As to claim 10, Montague et al a method as recited, wherein identifying first sub-entries 
in a first access control list comprises: 

identifying a dimensional range and a policy action for each entry in the 
first access control list [column 16 line 18 to column 17 line 25]; 

identifying all overlapping dimensional ranges in the first access control 
list, each overlapping dimensional range corresponding to where the dimensional 



Application/Control Number: 1 0/044,0 1 9 Page 3 

Art Unit: 2131 

ranges of entries in the first access control list overlap [column 16 line 18 to 
column 17 line 25]; 

identifying all non-overlapping dimensional ranges in the first access 
control list, each of the non-overlapping dimensional ranges corresponding to 
dimensional ranges of entries in the first access control list that do not overlap 
dimensional ranges of other entries in the first access control list [column 16 line 
18 to column 17 line 25]; 

identifying a policy action for each identified overlapping dimensional 
range in the first access control list [column 16 line 18 to column 17 line 25]; and 

identifying a policy action for each identified non-overlapping 
dimensional range of the first access control list [column 16 line 18 to column 17 
line 25]. 

As to claims 11, 41 and 49, Montague et al discloses as recited, wherein identifying 
second sub-entries in a second access control list comprises: 

identifying a dimensional range and a policy action for each entry in the 
second access control list [column 16 line 18 to column 17 line 25]; 

identifying all overlapping dimensional ranges in the second access 
control list, each overlapping dimensional range corresponding to where the 
dimensional ranges of entries in the second access control list overlap [column 16 
line 18 to column 17 line 25]; 

identifying all non-overlapping dimensional ranges in the second access 
control list, each of the non-overlapping dimensional ranges corresponding to 
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dimensional ranges of entries in the second access control list that do not overlap 
dimensional ranges of other entries in the second access control list [column 16 
line 18 to column 17 line 25]; 

identifying a policy action for each identified overlapping dimensional 
range of the second access control list [column 16 line 18 to column 17 line 25]; 
and 

identifying a policy action for each identified non-overlapping 
dimensional range of the second access control list [column 16 line 18 to column 
17 line 25]. 

As to claim 33, Montague et al discloses a method of comparing access control lists to 
configure a security policy on a network, the method comprising the computer-implemented 
steps of: 

identifying first sub-entries in a first access control list, wherein the first 
access control list comprises first entries, and wherein the first sub-entries 
identified from the first access control list comprise (i) disjoint entries of the first 
entries or (ii) overlapping sections identified from the first entries or (iii) non- 
overlapping sections identified from the first entries [column 16 line 18 to column 
17 line 25]; and 

programmatically determining whether the first access control list is 
functionally equivalent to a second access control list by determining whether 
each of the first sub-entries in the first access control list is equivalent to or 
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contained by one or more entries of the second access control list [column 16 line 
18 to column 17 line 25]. 
As to claims 34, 38 and 46, Montague et al discloses determining that the first access 
control list is functionally equivalent to the second access control list in response to a 
determination that each of the first sub-entries is equivalent to or contained by one or more 
entries of the second access control list [column 16 line 18 to column 17 line 25]. 

As to claims 35, 39 and 47, Montague et al discloses a method as recited, further 
comprising: 

identifying second sub-entries in the second access control list, wherein 
the second access control list comprises second entries, and wherein the second 
sub-entries identified from the second access control list comprise (i) disjoint 
entries of the second entries or (ii) overlapping sections identified from the second 
entries or (iii) non-overlapping sections identified from the second entries 
[column 17 line 40 to column 18 line 53]; and 

wherein determining whether each of the first sub-entry in the first access 
control list is equivalent to or contained by one or more entries of the second 
access control list includes determining whether the each of the first sub-entries in 
the first access control list is equivalent to or contained by one or more of the 
second sub-entries identified from the second control list [column 17 line 40 to 
column 18 line 53]. 
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As to claim 36, Montague et al discloses a computer readable medium for comparing 
access control lists to configure a security policy on a network, the computer readable medium 
carrying instructions for performing the steps of: 

identifying first sub-entries in a first access control list, wherein the first 
access control list comprises first entries, and wherein the first sub-entries 
identified from the first access control list comprise (i) disjoint entries of the first 
entries or (ii) overlapping sections identified from the first entries or (iii) non- 
overlapping sections identified from the first entries [column 16 line 18 to column 

17 line 25]; and 

programmatically determining whether the first access control list is 
functionally equivalent to a second access control list by determining whether 
each of the first sub-entries in the first access control list is equivalent to or 
contained by one or more entries of the second access control list [column 16 line 

18 to column 17 line 25]. 

As to claim 37, Montague et al discloses a policy server communicatively coupled to 
security devices in a network to configure a security policy on a network, the policy server 
comprising: 

a processor [column 16 line 18 to column 17 line 25]; 

a network interface that communicatively couples the processor to the 
network to receive flows of packets therefrom [column 16 line 18 to column 17 
line 25]; 

a memory [column 16 line 18 to column 17 line 25]; and 
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sequences of instructions in the memory which, when executed by the 
processor, cause the processor to carry out the steps of: 

identifying first sub-entries in a first access control list, wherein 
the first access control list comprises first entries, and wherein the first 
sub-entries identified from the first access control list comprise (i) disjoint 
entries of the first entries or (ii) overlapping sections identified from the 
first entries or (iii) non-overlapping sections identified from the first 
entries [column 16 line 18 to column 17 line 25]; and 

programmatically determining whether the first access control list 
is functionally equivalent to a second access control list by determining 
whether each of the first sub-entries in the first access control list is 
equivalent to or contained by one or more entries of the second access 
control list [column 16 line 18 to column 17 line 25], 
As to claims 40 and 48, Montague et al discloses a policy server as recited, wherein the 
instructions for performing identifying first sub-entries in a first access control list comprise: 

instructions for performing identifying a dimensional range and a policy 
action for each entry in the second access control list [column 17 line 40 to 
column 18 line 53]; 

instructions for performing identifying all overlapping dimensional ranges 
in the second access control list, each overlapping dimensional range 
corresponding to where the dimensional ranges of entries in the second access 
control list overlap [column 17 line 40 to column 18 line 53]; 



Application/Control Number: 1 0/044,0 1 9 Page 8 

Art Unit: 2131 

instructions for performing identifying all non-overlapping dimensional 
ranges in the second access control list, each of the non-overlapping dimensional 
ranges corresponding to dimensional ranges of entries in the second access 
control list that do not overlap dimensional ranges of other entries in the second 
access control list [column 17 line 40 to column 18 line 53]; 

instructions for performing identifying a policy action for each identified 
overlapping dimensional range in the second access control list [column 17 line 
40 to column 18 line 53]; and 

instructions for performing identifying a policy action for each identified 
non-overlapping dimensional range of the second access control list [column 17 
line 40 to column 18 line 53]. 
As to claim 45, Montague et al discloses an apparatus for comparing access control lists 
to configure a security policy on a network, the apparatus comprising: 

means for identifying first sub-entries in a first access control list, wherein 
the first access control list comprises first entries, and wherein the first sub-entries 
identified from the first access control list comprise (i) disjoint entries of the first 
entries or (ii) overlapping sections identified from the first entries or (iii) 
non-overlapping sections identified from the first entries [column 16 line 18 to 
column 17 line 25]; and 

means for programmatically determining whether the first access control 
list is functionally equivalent to a second access control list by determining 
whether each of the first sub-entries in the first access control list is equivalent to 
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or contained by one or more entries of the second access control list [column 16 
line 18 to column 17 line 25]. 

Claim Rejections - 35 USC § 103 
The following is a quotation of 35 U.S.C. 103(a) which forms the basis for all 
obviousness rejections set forth in this Office action: 

(a) A patent may not be obtained though the invention is not identically disclosed or described as set forth in 
section 102 of this title, if the differences between the subject matter sought to be patented and the prior art are 
such that the subject matter as a whole would have been obvious at the time the invention was made to a person 
having ordinary skill in the art to which said subject matter pertains. Patentability shall not be negatived by the 
manner in which the invention was made. 

7. Claims 14, 42 and 50 are rejected under 35 U.S.C. 103(a) as being unpatentable over 
Montague et al U.S. Patent No. 5,761,669 as applied to claims 33, 37 and 45 above, and 
further in view of Brawn et al U.S. Patent No. 7,020,718 B2. 

As to claims 14, 42 and 50, Montague et al does not teach that identifying a dimensional 
range and a policy action for each entry in the first access control list includes identifying a 
source address range and a destination address range for communication packets specified by 
each of the entries in the first access control list. 

Brawn et al teaches identifying a source address range and a destination address range for 
communication packets specified by each of the entries in the first access control list [column 8 
line 41 to column 9 line 2]. 

Therefore, it would have been obvious to a person having ordinary skill in the art at the 
time the invention was made to have modified Montague et al so that a dimensional range and a 
policy action would have been identified for each entry in the first access control list that would 
have included identifying a source address range and a destination address range for 
communication packets specified by each of the entries in the first access control list. 
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It would have been obvious to a person having ordinary skill in the art at the time the 
invention was made to have modified Montague et al by the teaching of Brawn et al because an 
advantage includes providing a discontiguous address plan that allows thousands of discrete, 
different sized, and seemingly irregularly spaced address ranges to be accessed and identified by 
a small number of address and mask combinations. Another advantage includes providing an 
enterprise having a large complex network with a discontiguous network address plan configured 
to optimize for route advertisement, ACL entries, firewall configurations, and multiple network 
policies [column 6, lines 27-35]. 

8. Claims 15, 43 and 51 are rejected under 35 U.S.C. 103(a) as being unpatentable over 
Montague et al U.S. Patent No. 5,761,669 as applied to claims 33, 37 and 45 above, and 
further in view of Mate et al U.S. Patent No. 7,020,718 B2. 

As to claims 15, 43 and 51, Montague et al does not teach that identifying a dimensional 
range and a policy action for each entry in the first access control list includes identifying a 
source port range and a destination port range for communication packets specified by each of 
the entries in the first access control list. 

Mate et al teaches identifying a source port range and a destination port range for 
communication packets specified by each of the entries in the first access control list [column 11, 
lines 4-19]. 

Therefore, it would have been obvious to a person having ordinary skill in the art at the 
time the invention was made to have modified Montague et al so that a dimensional range and a 
policy action would have been identified for each entry in the first access control list that would 
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have included identifying a source port range and a destination port range for communication 
packets specified by each of the entries in the first access control list. 

It would have been obvious to a person having ordinary skill in the art at the time the 
invention was made to have modified Montague et al by the teaching of Mate et al because it 
provides a method and system having fast search capabilities for classifying a plurality of types 
of data traffic and route lookup [column 3, lines 14-16]. 

9. Claims 16, 44 and 52 are rejected under 35 U.S.C. 103(a) as being unpatentable over 
Montague et al U.S. Patent No. 5,761,669 as applied to claims 33, 37 and 45 above, and 
further in view of Banginwar U.S. Patent No. 7,020,718 B2. 

As to claims 16, 44 and 52, Montague et al does not teach identifying a dimensional 
range and a policy action for each entry in the first access control list includes identifying a 
communication protocol for communication packets specified by each of the entries in the first 
access control list. 

Banginwar teaches identifying a communication protocol for communication packets 
specified by each of the entries in the first access control list [column 3, lines 18-46]. 

Therefore, it would have been obvious to a person having ordinary skill in the art at the 
time the invention was made to have modified Montague et al so that a dimensional range and a 
policy action would have been identified for each entry in the first access control list that would 
have included identifying a communication protocol for communication packets specified by 
each of the entries in the first access control list. 

It would have been obvious to a person having ordinary skill in the art at the time the 
invention was made to have modified Montague et al by the teaching of Banginwar because it 
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enables a policy manage to communicate with the many devices connected to it [column 3, lines 
47-54]. 

Conclusion 

10. Applicant's amendment necessitated the new ground(s) of rejection presented in this 
Office action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP § 706.07(a). 
Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a). 

A shortened statutory period for reply to this final action is set to expire THREE 
MONTHS from the mailing date of this action. In the event a first reply is filed within TWO 
MONTHS of the mailing date of this final action and the advisory action is not mailed until after 
the end of the THREE-MONTH shortened statutory period, then the shortened statutory period 
will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 
CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, 
however, will the statutory period for reply expire later than SIX MONTHS from the date of this 
final action. 

Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to Aravind K. Moorthy whose telephone number is 571-272-3793. 
The examiner can normally be reached on Monday-Friday, 8:00-5:30. 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Ayaz R. Sheikh can be reached on 571-272-3795. The fax phone number for the 
organization where this application or proceeding is assigned is 571-273-8300. 
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Information regarding the status of an application may be obtained from the Patent 
Application Information Retrieval (PAIR) system. Status information for published applications 
may be obtained from either Private PAIR or Public PAIR. Status information for unpublished 
applications is available through Private PAIR only. For more information about the PAIR 
system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR 
system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would 
like assistance from a USPTO Customer Service Representative or access to the automated 
information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. 



Aravind K Moorthy 
October 26, 2006 
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